PHP Object Injection in Sitebuilder Dynamic Components Plugin for WordPress
CVE-2017-18604

7.5HIGH

Key Information:

Vendor: Wordpress
Status: Sitebuilder Dynamic Components
Vendor: CVE Published:; 10 September 2019

What is CVE-2017-18604?

The Sitebuilder Dynamic Components plugin for WordPress, up to version 1.0, is susceptible to a PHP object injection vulnerability. This flaw can be exploited through AJAX requests, allowing attackers to manipulate objects and potentially execute arbitrary PHP code. The injection occurs due to insufficient validation of user input, making it essential for website administrators to update their plugins to mitigate risks associated with this vulnerability. Affected users should take immediate action to secure their installations.

References

https://wpvulndb.com/vulnerabilities/8829

x_refsource_MISC

https://wordpress.org/plugins/sitebuilder-dynamic-compone...

x_refsource_MISC

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Sep 10, 2019
Vulnerability Reserved
Sep 10, 2019

Wordpress

What is CVE-2017-18604?

References

CVSS V3.1

Timeline